Board of Governors of the Federal Reserve System
Federal Deposit Insurance Corporation
Office of the Comptroller of the Currency
Office of Thrift Supervision

AGENCIES ISSUE UPDATED POLICY STATEMENT ON INTERNAL AUDITING

For Immediate ReleaseFDIC-PR-24-2003

March 17, 2003

The federal banking and thrift regulatory agencies today revised their guidance on the independence of accountants who provide institutions with both external and internal audit services to reflect the provisions of the Sarbanes-Oxley Act of 2002.

The updated Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, which replaces a policy issued in 1997, also reflects the agencies' experience with the 1997 policy and incorporates recent developments in internal auditing. It was issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

The Sarbanes-Oxley Act and recently adopted Securities and Exchange Commission (SEC) rules prohibit an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit services to the company. The revised policy statement separately discusses the applicability of this prohibition to institutions that are public companies; insured depository institutions with $500 million or more in assets that are subject to the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act; and non-public institutions that are not subject to Section 36.

The existing guidelines for institutions subject to Section 36 provide for their external auditors to meet the SEC's independence requirements. Auditors for these institutions, whether or not they are public companies, should comply with the prohibition on internal audit outsourcing in the SEC's rules.

The policy statement encourages non-public institutions not subject to Section 36, which includes non-public depository institutions with less than $500 million in assets, to refrain from outsourcing internal audit activities to their external auditor. If such an institution decides to use the same firm for both internal and external audit work, however, the audit committee should document its consideration of the independence issues associated with this arrangement.

In addition to changes related to the Sarbanes-Oxley Act, the agencies enhanced the 1997 policy statement's discussion of the responsibilities of the board of directors and senior management with respect to the internal audit function and its placement within an organization, its management and staffing, and the communication of concerns and weaknesses in accounting and internal control. The policy also reiterates the need for institutions to maintain strong systems of internal control, including internal controls over financial and regulatory reporting, and high quality internal audit programs. Expanded guidance has been provided on the use of independent reviews of significant internal controls by small institutions that do not have a formal internal audit manager or staff. The policy statement also includes guidance for examiners on addressing concerns they may have about the adequacy of the internal audit function or related outsourcing arrangements.